Downloader-yh trojan

[Snerd]

Can't get rid of it.

McAfee now can delete infeted files as they occur but can't find the source. I found an entry in the registry that pointed to a file that was supposed to cause it but that file is non existant now - I believe McAfee deleted it.

Have tried Ad-aware, the cleaner, spysubtract ..   all to no avail.    

As I type McAfee just told me it founa another infection ...(I am not doing a scan).  File was Docand sets\snerd/\ocal settings\temp int files\Content IE5\wrebax2ti282.exe and another  they come in pairs.   Both deleted. The other came from a temp area.   the pattern repeats itself.

Any ideas?

[Snerd]

To Continue....   sorry about the typing but I was rushed as I expected the worst.    McAfee has known about it for 5 days but has nothing to say.   After visiting other forums its seems the virus has an entry in the run part of the registry that starts a file but that file seems to have many different names as every comment points to a different file..   Two strange things are happening to my computer now.

When I try to access a web site I often get the message"(the URL) could not be found.  Please check the name and try again"

Also in the folder's view ... it keeps reverting to icons instead of lists.   and that really irritates me.

Any advice would be appreciated.

[dl65]

Snerd....Well......Try this ......First .......go to folder options and set the options to show hidden files and folders........
Then .......Using internet options .......delete cookies , Temporary internet files  and delete history .......
Now Reboot into safe mode ( repeatedly tap F8 key at reboot and select .....SAFE mode )
When in safe mode ...run McAfee and remove anything it finds .......
Now reboot back into normal and see how things are .

Let us know

dl65  

[Snerd]

thanks Hope,
Now get this

I did exactly as you said with nothing found and I am using lastest DAT file.

Rebooted in normal mode and check to see if all was deleted and it was.
Returned to destop just in time to get message from McAfee that an infected file had been found in in C\&S\Snerd\Local Settings\TIF\Content.IE5\ The TIF folder had been empty 15 seconds ago and had a i282.Exe file in it.  Also the content.ie5 was and is not existant.

Also found one cookie from emarketmakers - how did it get there?  

Then got another notice from Mcafee that the trojan downloader-yh had been found and deleted from C\&S\Local~1\temp\tp7543.exe  - or something to that effect.

They always come in pairs  - one in each of those directories,    

Downloading Gordano's AV because it claims to be able to delete that virus.

Thanks and will keep you informed.

[dl65]

Snerd....Have been looking around and it seems to be a fairly recent problem . One thing I have noticed is that hijackthis appears to be of some help . So with that in mind go to ..... http://www.majorgeeks.com/download3155.html   and D/L hijackthis 1.99.1   ....then run it and post the log file here to have a look at .

dl65  

[Snerd]

Thanks for the interest and I did as requested.

Sorry about the AOL, but I just moved to this area and was using niece's "puter " with it and so I installed it for easy email access and the McAfee and a few other reasons. It will surely go ASAP.  

I ran hijackthis and it crashed but did produce a log and managed to do a scan but nothing was found.  

I know i have way too much background BS running but I am still in transition.

Log file too long to post so I will try to post it alone.

Let me know what I can do

[Snerd]

Logfile of HijackThis v1.99.1
Scan saved at 6:21:34 AM, on 4/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Utilities\Zone Labs\ZoneAlarm\zlclient.exe
C:\Utilities\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\PROGRA~1\COMMON~1\AOL\110898~1\EE\AOLServiceHost.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Utilities\Free Download Manager\fdm.exe
C:\Program Files\SlipStream Web Accelerator\slipaccel.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Snerd\LOCALS~1\Temp\Rar$EX00.969\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5401
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\SlipStream Web Accelerator\PBHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\UTILIT~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll (file missing)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
%systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Utilities\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Ad-watch] "C:\Utilities\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Free Download Manager] C:\Utilities\Free Download Manager\fdm.exe -autorun
O4 - Startup: ERUNT AutoBackup.lnk = C:\Utilities\ERUNT\AUTOBACK.EXE
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: SlipStream.lnk = C:\Program Files\SlipStream Web Accelerator\slipaccel.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
Manager\dlpage.htm
O
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
- C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8A19B1C-0760-4CEE-8AA4-40BDC371FFCA}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - C:\UTILIT~1\CACHEM~1\CachemanXP.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Utilities\Executive Software\Diskeeper\DkService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Deleted AOL and McAfee entries to fit in post.

[Snerd]

another thing      whenever I get the message that McAfee has found and deleted a file (always in the temp int files directory) I find that it has made sure the the i286.exe file is there.   If I delete it the trojan will replace it.

The file is 31.5 Kb in size with the following URL
http://u.urllogic.com/content/download/i282.exe

hope this helps

[dl65]

 Snerd... There are several things which I need clarification on ....
First ........are you using a dialup or Hispeed connection ?
Are you still using AOL as a ISP ?
If you are on hispeed why are you using that web accelerator app?
Now as far as .... hxxp://u.urllogic.com/content/download/i282.exe   ( note I altered the link so no one else would go there out of curiousity and become infected )
This site immediatley D/L and wants to install a HIGH Risk Adware ....called 1282.exe ...... it is a Adware.QoolAid  ( High Risk)   ...Norton removes it right now ........

Now on to the log file ......

I would do this ......for openers.....
Delete the hijackthis log you currently have ........

open hijackthis and click Do system scan and save file log.......( it should save to your desktop)
Next click config ...... when the config page opens .......in the 4 URL boxes ........type in each of them ........
http://www.msn.com and then click the back button ......

Now mark for removal , the following :
All R1 entries
All R3 entries
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\UTILIT~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll (file missing)
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)


Now click fix checked ........

Now reboot and see how things are ......
If things are still not right .......
Post another hijackthis scan ......
Let us know whats happening

dl65  

[Snerd]

Ok  Thanks for the interest and help-  I did what you suggested and a bit more to clean up.

I dumped AOL and am using a 28.8 dial-up   its the best I can get in the mountains of No. Idaho.   Having a bit of trouble with Thunderbird and mail at yahoo but I will get there.

It seems I was able to keep AOL's McAfee and thats good.

System is much cleaner and a bit more stable - never see a BSOD.  But........ the trojan is still there and every few hours McAfee deletes the 2 files it spawns.   It seems to be confined now.    For a small and free program that HijackThis packs one *censored* of a wallop.

I'll check back often and if you find out anything  please let me know and I'll do the same.

Thanks again

[dl65]

Snerd....Glad to hear your making some headway .......however , having the trojan still present isnt good ......I would like you to disable your system restore feature that XP has built into it . ( the trojan may be hidding in there )
The next time McAfee identifies the pest.......write down its name and then Click on start / Run ....... Now type regedit and press enter ........
When the registry editor opens .........click on edit ......then scroll down to Find  and click on that .......when the FIND box opens .......where it says find what ........type in the name of what McAfee found and then click find next ......the registry will be searched and if it finds a matching entry .......you will be taken directly to it .  ( the entry should be highlited ) after you confirm that the hilited entry is in fact the one your looking for .....right click on the highlited entry and select delete ........
Now go back to the Find box again and click the Find next again ........( the items name will still be there ) .......keep repeating the search until you get the message that the registry doesnt contain any matching entries .    Now go back to the Find box again and enter the name of the other one that McAfee found and click find next .......and again if you are taken to an entry thats hi-lited ....double check to be sure its the one then right click on the hi-lited item and select delete........ then repeat the search until the message appears to say that nothing was found ..........
Now reboot and see how things are ........

You might also want to go to ........ http://www.microsoft.com/athome/security/spyware/software/default.mspx   .....D/L and install Antispyware Beta ( it's a very good program ) run it and delete anything it finds.

dl65  

[Snerd]

ya might have done it.  I quit when microsoft found an unidentified trojan and removed it.   It also found stuff that ad-aware pro 181 build missed.   reccommend this program.

Thank you again,

I hope i wont be back LOL

[Snerd]

its back - never left - This is the report

Unclassified.ActiveX.Trojan.A Hostile ActiveX Control  more information...
Details: Unclassified ActiveX Trojan A was identified by SpyNet as hostile. Currently research is under way to classify this threat and complete a risk assessment.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such as a security exploit, and should be removed.

Infected files detected
C:\WINDOWS\Downloaded Program Files\Information.INF

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{11111111-1111-1111-1111-111111113456}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{11111111-1111-1111-1111-111111113456}\DownloadInformation CODEBASE file://c:\info6.cab
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{11111111-1111-1111-1111-111111113456}\DownloadInformation INF C:\WINDOWS\Downloaded Program Files\Information.INF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{11111111-1111-1111-1111-111111113456}\InstalledVersion 0,0,0,1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{11111111-1111-1111-1111-111111113456} SystemComponent 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{11111111-1111-1111-1111-111111113456} Installer MSICD

[Snerd]

And I still have it.    I did what you said with the registry but McAfee has already deleted it the trojan immediately replaced it.
McAfee deleted i286.exe and I when to the folder to check and it was gone but i286(1).exe was there. Gonna scan again and will keep looking.

[dl65]

Snerd...Wow , this one stubborn trojan.........
Are you on the same site each time the Trojan is replicated ?
Lets try this........ Go to internet Explorer ....tools/Internet Options .........Now delete ...all cookies , all temporary internet files and history ........
Next reboot into safe mode again and run your Anti-virus scanner ......when its finished run your Antispyware Beta ...when thats finished run Spysubtract ........when thats finished reboot into mnormal mode and then rerun Hijackthis ......and post the log .....I want to compare to the last one ...

You will succeed !

dl65